That is not a current feature. You'll either have to write your code around it and manually delete items, or wait for it to get implemented (which may not happen).Would there be a solution around this? Would it not make sense to have the ability to add IP's to address-lists with a timeout?
hping3 -c 1-C 3 -K 9 -a <Attackers IP> 203.0.113.111
add chain=forward dst-address=203.0.113.111 protocol=icmp icmp-options=3:9 action=add-src-to-address-list address-list-timeout=24h address-list=remote_evilhosts comment="Secret message from server, block for 24h" add chain=forward dst-address=203.0.113.111 protocol=icmp icmp-options=3:9 action=drop comment="Keep secrets secret"
Well why didn't you say you could have fail2ban run an "unban" event.I see how to add an address to a list, but not how to remove an address from a list. I only see how to remove a whole list.
Basic Idea would not be to use any timeout on mikrotik device (not really standard feature and really unlikely to be implemented) but to rely on fail2ban itself (which handle "ban" and "unban" events: so basically, on each event, triggering a ssh address-list management command on mikrotik firewall). All would be done by a fine fail2ban setup.
Well, I'm not the OP, I just joined the conversationWell why didn't you say you could have fail2ban run an "unban" event.
Owww, thank you very much, I was looking in /ip firewall filter section...
Right. FYI, fail2ban allows "easy" implementation of new service monitorings (well, not new in our case (ssh)) and new "actions" (command to run on events).Optionally, consider having it purge the list every time the server reboots
[ssh-MikroTik] enabled = true filter = sshd action = MikroTik logpath = /var/log/messages maxretry = 5 [proftpd-MikroTik] enabled = true filter = proftpd action = MikroTik logpath = /var/log/messages maxretry = 5
[Definition] actionstart = ssh -i PATHTOSSHKEYFILE USER@MIKROTIKBOX "/ip firewall address-list remove [find list=Fail2Ban]" actionstop = ssh -i PATHTOSSHKEYFILE USER@MIKROTIKBOX "/ip firewall address-list remove [find list=Fail2Ban]" actioncheck = "" actionban = ssh -i PATHTOSSHKEYFILE USER@MIKROTIKBOX "/ip firewall address-list add list=Fail2Ban address=<ip> comment=<time>" actionunban = ssh -i PATHTOSSHKEYFILE USER@MIKROTIKBOX "/ip firewall address-list remove [find address=<ip> list=Fail2Ban]"
When all you have is a hammer, everything looks like a nail.
@janisk: luckily fail2ban already manage all these stuff internally (hosts storage, timers expiring, etc). Heavy artillery shouldn't be necessary in this case